[Date Prev][Date Next]
Re: Questions about SSL/TLS - yes, I read openldap.org
tor, 26.02.2004 kl. 21.38 skrev dap:
> TLSCertificateFile /usr/local/etc/openldap/ssl/slapd-cert.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/slapd-key.pem
> TLS_CACERT /usr/local/etc/openldap/ssl/slapd-cert.pem
> Is this wrong? It seems to work. openldap.org seems to rely on
> pointing to slapd-ca.pem. (openldap.org points to three files,
> cert, key, and ca.)
> I am trying to reconcile the differences between the documentation in
> book and the site.
The site's right. Dunno who Carter is, or what he wrote, but when you
read further about the whole point of X500 certs, you'll see why. Later
on, you may have to give the CAcert to clients on other machines.
Neither the server certificate nor the key have anything to do with
those clients and they don't need or want them; moreover doing this is
very bad security. The server should offer the details of a cert, and
the client should check against the authority that signed it, which it
does using the dedicated CA cert. No-one but the server UID and root
should ever be able to read the key file or the server cert file.
mail: billy - at - billy.demon.nl